Sites that require a username and password to open your account (banking, email, etc.) should have the option of allowing the user to create a temporary "disposable" password that can only be used once. Any subsequent attempt to use the same disposable password will fail. This will avoid "replay" type
attacks that can occur from having your keystrokes logged on a compromised computer.

For example, if you're going traveling and you think you may need to access your bank. Before you go, you log in from a safe computer (home) and create a disposable password. If you need to access your bank, you can log in from any PC without fear of it logging your keystrokes and people obtaining your password, since it's invalid immediately after you use it. Worst case scenario, they know your username (or bank card number), but not your password.

Options could include creating multiple disposable passwords (that need to be used sequentially...?) for multiple occasions, or creating time windows in which they are allowed to be used for enhanced security.

Why not take it a step further and try disposable phone numbers. See a girl at the bar, but afraid she might be touched in the head. Give her the disposable phone number you set up with your carrier before you left the house. If she turns out to be nuts after your first follow-up date, then there's no worries.

This is partially (very partially) baked, or was, in Germany with the bank DB24. I don't know if this is a german exclusive thing or not, but any time you wanted to pay a bill or transfer money you used a disposable number (not reusable) on a sheet of numbers given to you in the mail.

I know of at least 3 banks that have a "one time PIN" system. You still use your normal username/password, but once you get in, unless you punch in the key from a token you can't actually transact. Natwest in the UK, Citibank Singapore and Commonwealth Bank in Australia.

[+] for having a once-off password so they never even find out your normal password.

Edit: 4x banks. The lovely folks at DBS Singapore just sent me yet another token.

My bank sends me a text message to my phone every time I want to complete a transaction. You can do nothing if you have my account number, my login name and my passwords if you don't also have my phone.

Just a comment, in retrospect: This is best suited for low-cost applications. Things like banking and corporate email are best served with SecurID (or similar). So, for example, this would be good to protect your web email or HalfBakery account. : )